Create and Convert Deployer Config

Replace ${CLUSTER_HOSTNAME} with a hostname with A records for each worker machine in the cluster or a load-balancer that directs traffic to all workers. This scheme works because the Console and Identity services are configured as "node ports", which means they are listening on a port across all machines.

Configure the identity-db-url with the details required to connect to your Postgres database, in standard DSN format.

All other values already match the defaults, unless you changed them in earlier steps.

Example Deployer Config

# This file contains the necessary user-supplied settings for Tectonic.
# It is intended as input to generate-deployer-config.sh
# URL for Identity DB
identity-db-url=postgres://user:password@postgres.example.com:5432/tectonic
# Issuer for identity; used by Identity itself, Console, and other Relying Parties of Identity.
identity-issuer-url=https://${CLUSTER_HOSTNAME}:30556
# Customizes identity screens
identity-issuer-name=Organization ID Services
# Email address for Identity to send from.
identity-email-from=tectonic-identity@example.com
# Console URL
console-url=https://${CLUSTER_HOSTNAME}:32000
# Email address of the identity admin user
identity-admin-user=admin@example.com
# Certificate Authorities for Console: This should be the name of a Kubernetes Secret
# containing a "config" key, whose values are PEM-formatted certificates. These
# will be the trusted CAs that Console uses to make https requests. If this
# value is empty, then the host's root CAs will be used.
tectonic-ca-cert-secret=tectonic-ca-cert
# Secret containing TLS cert and key for Identity
tectonic-identity-tls-secret=tectonic-identity-cert
# Secret containing TLS cert and key for Console
tectonic-console-tls-secret=tectonic-console-cert

Customizing the Deployer Config for your Site

The fields in the deployer-config.txt file understood by the generate-deployer-config script are described below.

identity-db-url: The database used by Identity to store user information. Should be a PostgreSQL DSN format string yielding a connection to an existing, empty PostgreSQL DB.

identity-issuer-url: This is the URL for the Tectonic Identity service, against which Console will authorize users. This should be the same URL as set in Tectonic Services for the tectonic-identity-worker service.

identity-issuer-name: This string will appear to users, e.g., "Sign into identity-issuer-name …"

identity-email-from: This is the email address that Identity will send email from.

console-url - This is the URL used to access Console. Used by tectonic-manager to set up post-authentication redirects. This should be the same URL set in "Tectonic Services" for the tectonic-console service.

identity-admin-user - Email address of primary administrator; granted full administrator rights. Password will be created and stored in a secret later in this guide.

tectonic-ca-cert-secret: Name of the secret containing signing CA for the console and identity services' TLS certificates. May be empty, in which case only host CAs are used.

tectonic-identity-tls-secret, tectonic-console-tls-secret: Names of secrets containing TLS cert, key for terminating TLS in identity and console apps. They can be the same if they are using wildcard domain certs. These are the names of the secrets created in the configure TLS certs step.

After adjusting your deployer-config.txt according to the above, use generate-deployer-config.sh to convert it to a secret for loading into your cluster:

Creating Identity Connectors

Connectors allow Identity's underlying Dex engine to delegate authentication to one or more external identity providers.
In the simplest case, described here, local logins are authenticated by Identity itself based on user ID and password.
The simple connector definition for this configuration looks like:

[
{
"type": "local",
"id": "local"
}
]

Store this JSON excerpt in a file named identity-connectors.json for conversion into a secret named tectonic-identity-connectors, by the usual means: